Boards
News
Market Data
Markets
Discover
Discover
AI Subscribe Login/Register account icon
S&P 500
7,580.06
(
0.22%
)
US TECH 100
29,506.00
(
0.28%
)
Dow Jones
51,032.46
(
0.72%
)
Brent Oil
91.36
(
0.00%
)
Bitcoin
73,812.83
(
0.61%
)
News Focus
News Focus

Replies to post #49939 on The Question and Answer Board (IHUB)

Replies to #49939 on The Question and Answer Board (IHUB)
icon url

Mattu

02/20/05 12:48 PM

#49979 RE: Jaybeaux #49939

I'm just saying I'm aware there is an issue. Bob and Dave are handling this. Read Bob's post for an update on the situation.
icon url

Bob Zumbrunnen

02/20/05 1:14 PM

#49997 RE: Jaybeaux #49939

Update on the email address harvesting situation.

Yes, we know that somehow iHub (and other sites, not including SI) had email addresses harvested from them. The email addresses were subsequently used to send a PayPal phishing email to those addresses. For those who don't know, phishing is a very vile activity in which someone is sent an email pretending to be from a financial institution (PayPal, in this case) and saying that your account has been compromised and including a link and a warning that you must click the link and "verify" your account.

The link takes you not to PayPal but to a separate site (serviceupdates.com, in this case) where, if you enter your email address and PayPal password, they then have possession of your PayPal login information.

The company that hosts serviceupdates.com has been notified, but last I checked, the site was still operational.

Heck, we were going to stay in "radio silence" on this for a bit, but I think it's unlikely that the person who did this will do it again since they got what they want, and doubt they'll even see this post.

We identified the hole. A SQL-injection was used in Member search. We don't keep IIS log files around once we've processed them to gather metrics (because they're about 500 meg per day, which adds up), but Dave used a new toy to dig into the log files we still have, which go back to the 14th of this month.

He found the SQL-injection happened on the 18th. It was a very clever bit of programming the perp did. This guy really knows his stuff! Probably the same guy that did the email and the PayPal-imitating site, because both are also of unusually high quality.

Yesterday, I changed Member search so that you not only have to be logged in to use it, but if you attempt SQL-injection, your account is flagged. This is not only to prevent it happening again, but to help gather as much data as we can if it does.

We have, however, gathered a lot of data already, and it will be handed over to the FBI and PayPal. Fortunately, PayPal is quite aggressive about fighting this kind of stuff and has the resources to pursue these things as aggressively as possible. I won't say the same for the FBI.

In the meantime, I'm going through both sites to make sure similar injections can't be done in the future.

If anyone ever gets a phishing email and is fooled by it into giving their account info, they need to immediately go to PayPal and change their password, assuming the phishermen haven't already done so. If they have, then you should forward a copy of the email to anti-fraud@paypal.com and request a password change.

Oh, and the person who did the harvesting didn't get loginID's and passwords. They were only interested in getting email addresses for phishing.